ZF05 Industry Check

1.  
2.  
3. |
4. \ / _\/_
5. Industry check .-'-. //o\ _\/_
6. -- / \ -- | /o\\
7. ^^~^~^~^~^~^~^~^~~^~^~^~^~^~^~^~^~^~^-=======-~^~~^^~~^~^~^~|~~^~^|^~`
8. We don't talk to police |
9. We don't make a peace bond
10.  
11. The security scene is fucked. You have Dan Kaminsky lecturing you on how DNS
12. poisoning will destroy life as we know it. You have Matasano harvesting talent
13. and critiquing everyone, and then Ptacek can only announce the release of....a
14. graphical firewall management client. There's kingcope killing bugs and
15. dropping weaponized exploits while making no other contribution except putting
16. a smile on the face of kiddies. There's iDefense and their competitors selling
17. exploits and only doing research in how to make more exploits. There's Jeff
18. Moss running a conference under the hideous misnomer "Blackhat Briefings" where
19. the same researchers search for glory and present the same shit year after
20. year. There are people who just live press release by press release. And on top
21. of it all, somehow you STILL have not got rid of Kevin Mitnick. The industry
22. cares about virtualization one year and iPhones the next, every year forgetting
23. the lessons it should have picked up in the last.
24.  
25. If you are just someone looking to pay a fair price to not get owned, you find
26. out quickly that none of these people exist to help you. Very few people in
27. this industry have their income model based around actually making you more
28. secure. At best, some of them have it based around convincing you that you are
29. better off.
30.  
31. The very concept of "penetration testing" is fundamentally flawed. The problem
32. with it is that the penetration tester has a limited set of targets they're
33. allowed to attack, while a real attacker can attack anything in order to gain
34. access to the site/box. So if a site on a shared host is being tested, just
35. because site1.com is "secure" that does NOT in anyway mean that the server is
36. secure, because site2.com could easily be vulnerable to all sorts of simple
37. attacks. The time constraint is another problem. A professional pentester with
38. a week or two to spend on a client's network may or may not get into
39. everything. A real dedicated hacker making the slog who spends a month of
40. eight hour days WILL get into anything they target. You're lucky if it even
41. takes him that long, really.
42.  
43. Those things should all be very obvious, but whitehats still make the mistake
44. of discounting them. Look at Mitnick. Every time he gets owned he blames his
45. host or his DNS provider. If he's getting owned through them, that's still his
46. fault. Choosing a host is a security decision, it's just like choosing a
47. password. If you choose a weak one you expose yourself. It's still your fault.
48.  
49. It's the same with outsourcing the development of your security-critical code.
50. Mitnick could get someone else to make him a flashy website, and then blame
51. them when it is full of file include vulnerabilities. People do this all the
52. time, indirectly, by using ridiculous CMS or blog software. As an easy example,
53. look at Wordpress. Even easier, look at Wordpress in 2007. Horrid. When
54. considering Wordpress, a blackhat starts reading the PHP, shudders and giggles,
55. and then laughs at the idea of ever using it on one of their servers. A
56. whitehat never gets that far apparently, they just install it and get owned. I
57. simply fail to see how leading security researchers run all kinds of code that
58. is blatantly dangerous. Are they really that bad at reading code? Or do they
59. just not care much if their passwords end up on Full Disclosure? If it's the
60. second option, why is that? Why can these people make a living selling
61. security when they make such bad choices? How do they maintain legitimacy? They
62. take less responsibility for getting owned than do the people who they sell
63. services to.
64.  
65. There's a popular term for people who don't read code. We call them script
66. kiddies.
67.  
68. You cannot outsource blame. You HAVE to take responsibility for your mistakes,
69. whether they are mistakes in your code, mistakes in code you are using,
70. mistakes by your host, or mistakes in who you trust. These are all security
71. choices. Learn to control this shit. Learn how to read code. A lot of the time
72. it only takes a very shallow audit to realise that the code is crap and is
73. bound to have bugs. In a smarter world, security professionals get paid to stop
74. people from getting owned. End of. These is no limit to the scope of an audit.
75.  
76. Are you professional types really this out of touch? I see all these papers
77. about how to protect yourself from these super-fucking-advanced techniques and
78. exploits that very few people can actually develop, and most hackers will NEVER
79. USE. It's the simple stuff that works now, and will continue to work years into
80. the future. Not only is it way easier to dev for simple mistakes, but they are
81. easier to find and are more plentiful.
82.  
83. The whole concept of full-disclosure has backfired. It will never work. It's
84. some slashdot hippie pipe dream. Even you dumbass corporate types should
85. recognize this. If you're constantly giving away all the vulnerabilites you
86. find, for *FREE* mind you (and what other industry does that?), and the
87. vulnerabilites get harder and harder to find and exploit, it will get harder
88. and harder for you all to do your "job". Frankly, I'm surprised that the
89. non-disclosure movement didn't start in the security industry in the first
90. place. In a way it did, by default. With full-disclosure, the security
91. industry is all about show and gloat, it is not about fixing anything. A lot of
92. bugs have been fixed from it, but it comes with the price of an industry that
93. likes to cripple itself. Projects run by teams of trained monkeys are always
94. eager to add more bugs to replace those that have been fixed.
95.  
96. We hate the industry because it is full of shit. There are so many trolls like
97. Kaminsky who just desperately search for anything new, to get attention. So
98. many talentless buffoons trying to scam the planet. A lot of the actual talent
99. out there is severely misapplied. It's an industry tied to news and not
100. results, because very few of you can even attain results. When you can't, who's
101. the wiser? Your customers can hardly tell if you have really made them more
102. secure or not. Sometimes there are superficial benefits, sometimes there
103. aren't. How do you convince the customer that they are more ZF0-safe than
104. before, if they were never targetted and probably never will be? And you all
105. lack the legitimacy to really do the job you should anyways. We can only expose
106. so many frauds, the rest of you can pretend you have changed something.
107.  
108. Very few whitehats actually go out there and provide a service where they make
109. people more secure. Not just for a day or a month. Are you genuinely fixing the
110. underlying design and logic flaws that generate security problems for your
111. clients or customers? If you actually clean up every exposed security flaw they
112. have, will they still be "secure" in six months or a year?
113.  
114. We could go on. Just in general, the industry is failing. Flat out failing.
115.  
116. You cannot even protect yourselves.